Hi there,
I've been trying to create a new source type, but unfortunately - with no success.
My data is uploaded from a CSV file (hold your horses, there's a small catch).
I put all of the relevant files in a folder (I use Windows) named "C:\Users\USERNAME\Desktop\USERNAME...\packetLog" - I wish that Splunk will continually index new files in this folder.
Each line in the CSV files looks like this (each field is separated by a semicolon):
1375781456.56672;2013-08-06 12:30:56.056672;1;1;1;1;0x0;1514;1500;1480;0xc5f7;0x4000;58;6;TCP;0x4848;0x5250fa16;82.80.250.22;
0xd4b30bc2;212.179.11.194;80;34212;0xa20f32aa;0x82f09e0a;0;0;0;0;1;0;0;0;54;0x9b4d0000;-1;-1;
0x0;-1;0x0;0;0;0;0;0
After reviewing some online documentations and examples, I created a new sourcetype in C:\Program Files\Splunk\etc\system\local\props.conf:
[source::...\packetLog...]
sourcetype = Analyzer_packets
FIELD_DELIMITER = ";"
FIELD_NAMES = "TIMESTAMP","TIMESTAMP_Friendly","PacketId","FlowId","pcap_ID",...(and so on for the other field names).
As you can probably see, creating fields with Regex in this case is extremely difficult, since more than one value has the same (or very similar) pattern.
Your help will be greatly appreciated. If there's a need for additional info just say so.
Thanks!
... View more